Ethereum Based DeFi Platform, bZx, Loses $645,000 In Second Exploit

Feb 18 2020

Ethereum built DeFi, bZx, has been compromised again barely a week after a malicious attacker got away with over $350,000 in ETH. The new hack is estimated to have caused a loss of $645,000 which is roughly 2,388 Ether (ETH). bZx is now under pressure from its stakeholders including the DeFi lending platform, Compound, which unknowingly provided part of the loan used to facilitate the first attack.

According to Kyle Kistner, a co-founder of bZx, the latest attack appears to be an oracle manipulation within the platform’s ecosystem. In a tweet on Feb 18, bZx came out to say that the protocol has since been paused again;

“We have hit the pause button on the protocol again in light of suspicious transactions using flash loans and trading on Synthetix.”

The bZx Hack in Detail

The first hack which took place on Feb 14 is an interesting one and may have revealed the looming risks of arbitrage opportunities in decentralized finance. This scheme was planned and executed through several digital assets including ETH and wBTC. The attacker took out an initial loan of 10,000 ETH that they used to acquire a leveraged position large enough to twitch the value of their collateral.

Decentralized lending protocols that were used as a means in the Feb 14th attack include Compound and dY/dX. The former provided an estimated $1 million to the attacker based on collateralization of wrapped BTC while the latter facilitated 10,000 ETH at the very beginning. Compound founder, Robert Leshner, speaking to the Block called for a look into bZx’s operations following these developments;

“Security is the ultimate priority for a financial product. The bZx team has repeatedly demonstrated that it isn’t capable of protecting user funds, and should immediately cease operations until the platform can be thoroughly and completely audited.”

As of press time, the exact nature of the bZx second attack is yet to established. Kistner however through telegram hinted a possible network manipulation. The co-founder was keen to assure stakeholders that the situation is under control despite stats showing close to half of the locked ETH have been wiped out in four days.

Comments